The <filteringRules> element is roughly analogous to the RuleList feature that was added to URLScan 3.0.

Setup

The default installation of IIS 7 and later includes the Request Filtering role service or feature. If the Request Filtering role service or feature is uninstalled, you can reinstall it using the following steps.

Windows Server 2012 or Windows Server 2012 R2

On the taskbar, click Server Manager.

In Server Manager, click the Manage menu, and then click Add Roles and Features.

In the Add Roles and Features wizard, click Next. Select the installation type and click Next. Select the destination server and click Next.

In the Connections pane, go to the site, application, or directory for which you want to configure request filtering.

In the Home pane, double-click Request Filtering.

In the Request Filtering pane, click the Rules tab.

In the Actions pane, click Add Filtering Rule.

Enter the following information for the filtering rule in the Add Filtering Rule dialog:

Enter a friendly name for the filtering rule in the Name field.

Select Scan url if you want the filtering rule to scan the URL stub for the request.

Select Scan query string if you want the filtering rule to scan the query string for the request.

Enter any HTTP headers to scan in the Scan Headers collection.

Enter the file name extensions to use with the filtering rule in the Applies To collection.

Enter the collection of strings to deny for the filtering rule in the Deny Strings collection.

Click OK to close the Add Filtering Rule dialog.

Configuration

The <add> element of the <denyStrings> element is configured at the site, application, or directory level.

Attributes

Attribute

Description

string

Required string attribute.

Specifies a unique string which a request filtering rule will deny.

There is no default value.

Child Elements

None.

Configuration Sample

The following sample displays a <requestFiltering> element that uses the <denyStrings>, <appliesTo>, and <scanHeaders> elements to define a request filtering rule that will prevent image stealing (leeching) for a specific user agent.

The following sample displays a <requestFiltering> element that defines a request filtering rule that prevents SQL injection attacks by denying a collection of text strings in query strings that are often used in SQL injection attacks.

Sample Code

The following examples demonstrate how to use the <denyStrings>, <appliesTo>, and <scanHeaders> elements to add a request filtering rule for the Default Web Site that will prevent image stealing (leeching) for a specific user agent. Here is the scenario for this example: If you detected that images on your web site were being leeched by a particular user agent, you could create a request filtering rule that denies access to image files for that specific user agent. In this particular example, the request filtering rule will search the HTTP user-agent header for the string "leech-bot," and will deny access to GIF, JPG, and PNG files if the user-agent header contains the search string.